The following information was obtained from the different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

The information provided was classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) is a serious vulnerability that affects the Hyper Text Transfer Protocol Secure (HTTPS) and other services that rely on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS), some of the essential cryptographic protocols for Internet security. These protocols are used to allow the netizens to browse the web, use the email, shop online, and send instant messages without third parties being able to read the communication.

The DROWN attack breaks the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. One of the modus of this attack is when the attacker impersonates a secure website and intercept or change the content the user sees.

The targets of this attack are websites, mail servers, and other TLS-dependent services.

Modern servers and clients use TLS encryption protocol, however there are still servers that supports SSLv2 which is a threat for it allows attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.

RECOMMENDATION

PNP personnel and the public are advised to follow the best practices to protect their respective servers from DROWN attack:

Always ensure that private keys are not used anywhere with server software that allows SSLv2 connections (web servers, SMTP servers, IMAP and POP servers and any other software that supports SSL/TLS).

Disable SSLv2 if not in used for the server operation.

Upgrade to a recent OpenSSL version. OpenSSL 1.0.2 users should upgrade to 1.0.2g. OpenSSL 1.0.1 users should upgrade to 1.0.1s.